Operational Procedures using Red Hat Enterprise Linux Identity Management


This documentation is no longer maintained.

The Red Hat Enterprise Linux Identity Management solution, RHEL IdM integrates Kerberos authentication, directory services, certificate management, DNS and NTP in a single service.

The following sections provide instructions for adding and removing users, and managing user permissions, as well as providing instructions for managing password policies within RHEL IdM.

User Management

Adding a New User

To add a new user, you must first create that user within IdM and then map that user to a set of privileges within MongoDB.


This procedure requires administrative privileges within IdM and MongoDB

  1. Authenticate as an administrator (e.g. admin@EXAMPLE.COM) in Kerberos

    kinit admin
  2. Add a new user by issuing a command similar to the following:

    ipa user-add johnsmith --password

    Follow the prompts to complete adding the new user.

  3. Connect to MongoDB and authenticate as user with at least userAdmin or userAdminAnyDatabase privileges,

    mongo --authenticationMechanism=GSSAPI \
          --authenticationDatabase='$external' \
          --username admin@EXAMPLE.COM
  4. Add the new user to a database and provide the appropriate privileges. In the following example, johnsmith@EXAMPLE.COM is granted “read” privileges on the “test” database.

    use test
    db.addUser( {
                   "user": "johnsmith@EXAMPLE.COM",
                   "roles": [ "read" ],
                   "userSource" : "$external"
                } )

Revoke User Access

To revoke a user’s access, you must complete two steps: first, you must remove the specified user from the databases they have access to, and second, you must remove the user from the IdM infrastructure.

  1. Authenticate as an administrator (e.g. admin@EXAMPLE.COM) in Kerberos and connect to MongoDB:

    kinit admin
    mongo --authenticationMechanism=GSSAPI \
          --authenticationDatabase='$external' \
          --username admin@EXAMPLE.COM
  2. Remove the user from a database using db.removeUser. The following example removes user johnsmith@EXAMPLE.COM from the test database:

    use test

    Repeat these steps for any databases that the user has access to.

You can now either disable or remove the user. Disabled users still exist within the IdM system, but no longer have access to any IdM services (e.g. Kerberos). It is still possible to reactive a disabled user by granting them access to a database.

By contrast, removing a user deletes their information from IdM and they cannot be reactivated in the future.

To disable a user (in this case, johnsmith), issue a command that resembles the following:

kinit admin
ipa user-disable johnsmith

To remove the user, use the user-del instead, as in the following:

kinit admin
ipa user-del johnsmith

Whether disabled or removed, the user in question will no longer have access to Kerberos and will be unable to authenticate to any IdM clients.

Configuring Password Policies

By default, RHEL IdM provides a global password policy for all users and groups. To view the policy details, connect as an administrator, and execute the pwpolicy-show command, is the following:

kinit admin
ipa pwpolicy-show

To view the policies applied to a particular user, you can add the --user=<username> flag, as in the following:

kinit admin
ipa pwpolicy-show --user=johnsmith

You can edit password policies to update parameters such as lockout time or minimum length. The following command changes the global policy’s minimum length allowable for passwords, setting the minimum length to 10 characters.

kinit admin
ipa pwpolicy-mod --minlength=10

For more information, refer to Defining Password Policies within the IdM documentation.